HOW TO: Configure Client Certificate Mappings in Internet

advertisement
HOW TO: Configure Client Certificate Mappings in Internet Information Services
(IIS) 5.0
View products that this article applies to.
Article ID
: 313070
Last Review : June 28, 2004
Revision
: 1.0
This article was previously published under Q313070
On This Page
SUMMARY
Mapping Client Certificates to User Accounts
Windows 2000 Active Directory Service Mapping
One-to-One Mapping
Export a Certificate
Map a Specific Client Certificate to a User Account
Many-to-One Mapping
Map Client Certificates by Using Wildcard Rules
Edit an Existing Wildcard Rule
Troubleshooting
REFERENCES
APPLIES TO
SUMMARY
This step-by-step article describes how to configure client certificate mappings in Internet
Information Services (IIS) 5.0.
Back to the top
Mapping Client Certificates to User Accounts
In IIS, you can authenticate users who log on with a client certificate by mapping the
certificates to Windows user accounts. The mapped certificates are used to either deny access
to Web resources, or grant rights and permissions for the mapped user account. There are two
methods in which to map certificates:
One-to-one mapping
• One-to-one mapping maps a single client certificate to a single user account. The server
compares a copy of its certificate with the client certificate that is sent by the browser. Both
certificates must be identical for the mapping to proceed.
Many-to-one mapping
Many-to-one mapping maps multiple certificates to a single user account. It uses wildcard
• matching rules to define the certificate criteria for mapping. This type of mapping does not
compare the actual client certificate, instead, it accepts all client certificates that meet
specific criteria. If certificates match the rules, they are mapped to the appropriate user
account.
Back to the top
Windows 2000 Active Directory Service Mapping
In IIS, you can also map a certificate to a Windows user account by using the Microsoft
Windows 2000 Active Directory directory service feature. This option is available only at the
Master properties level and if the server is a member of a Windows 2000 domain.
To enable the Windows directory service mapper:
1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2.
In the Internet Information Services pane, right-click * server name where server
name is the name of the server, and then click Properties.
3. Click the Internet Information Services tab.
4. Under Master Properties, click WWW Service, and then click Edit.
5.
In the WWW Service Master Properties for * server name Properties dialog box, click
the Directory Security tab.
Under Secure communications, click to select the Enable the Windows directory
service mapper check box, and then click OK.
For more information about Windows 2000 Active Directory Service mapping, click Start, click
Help, click the Index tab, and then type mapping certificates.
6.
Back to the top
One-to-One Mapping
Export a Certificate
In IIS one-to-one mapping, some certificates must first be exported. To export a certificate for
use in IIS one-to-one mapping:
1. Start Internet Explorer, and then click Internet Options on the Tools menu.
2. Click the Content tab.
3. Under Certificates, click Certificates, and then click the Personal tab.
4.
Click the certificate that you want to export, and then click Export to start the Certificate
Export Wizard.
5. Click Next.
6. Click No, do not export the private key, and then click Next.
7. Click Base-64 encoded X.509 (.CER), and then click Next.
8.
In the File name box, click Browse, specify a name and location where you want to save
the file, and then click Save.
9. Click Next, and then click Finish.
Click OK to the "The export was successful" message, click Close, and then click OK. The
10. certificate is ready for one-to-one mapping in IIS. This procedure needs to be completed
once for each certificate.
Map a Specific Client Certificate to a User Account
To map a specific client certificate to a user account:
1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2.
Right-click the Web site for which you want to configure authentication (for example,
Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then under Secure communications, click Edit.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the 1-to-1 tab, and then click Add.
In the Open box, locate the certificate file, and then click Open.
6.
NOTE: If you cannot locate the certificate file, you may need to export the file.
In the Map to Account dialog box, use the following steps:
a. In the Map Name box, type a map name.
7.
In the Account box, type, or click Browse to browse to the Windows user account that
b. you want to map. Type the password of the user account in the Password box, and
then click OK.
c. Re-type the password in the Confirm Password dialog box, and then click OK.
8. Repeat steps 5-7 to map other certificates or to map this certificate to other user accounts.
9.
When you are finished creating the mappings that you want, click OK three times, and then
quit Internet Services Manager, or close the IIS snap-in.
Back to the top
Many-to-One Mapping
Map Client Certificates by Using Wildcard Rules
To add a client certificate mapping by using wildcard rules:
1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2.
Right-click the Web site for which you want to configure authentication (for example,
Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then under Secure communications, click Edit.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the Many-to-1 tab, and then click Add.
6. In the General dialog box, type a name for the rule, and then Next.
7. In the Rules dialog box, click New.
In the Edit Rule Element dialog box that appears, configure the settings that you want
for the rule, click OK, and then click Next.
8.
NOTE: You should configure your matching rules to be as specific as possible. Use
wildcard rules that match information from several different fields and sub fields.
In the Mapping dialog box, do one of the following:
Click Accept this certificate for Logon Authentication, and then in the Account
box, type, or click Browse to browse to the Windows user account that you want to
9. • map. Type the password of the user account in the Password box.
-or• Click Refuse Access.
10. Click Finish.
11. Repeat steps 5-10 to create other mapping rules.
To establish the priority of the rules that you defined, click a rule in the list, and then click
12. Move Up or Move Down to move the rule higher or lower on the list. Rules that are
higher on the list have a higher priority.
13. Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in.
Edit an Existing Wildcard Rule
To edit an existing wildcard rule:
1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2.
Right-click the Web site for which you want to configure authentication (for example,
Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then click Edit under Secure communications.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the Many-to-1 tab, click the rule that you want to edit, and then click Edit Rule.
6.
In the Edit Wildcard Mapping Rule dialog box, make the changes that you want, and
then click OK.
7. Click OK four times, and then quit Internet Services Manager, or close the IIS snap-in.
Back to the top
Troubleshooting
If you use IIS to map client certificates to user accounts, you cannot also use the Windows
Directory Service to configure client certificate mappings. You can only use one method or the
other.
For additional information about related topics, click the article number below to view the
article in the Microsoft Knowledge Base:
243353 (http://support.microsoft.com/kb/243353/EN-US/) Custom Certificate Mappings Are
Not Recognized
Download